package com.young.jdbc;

import java.io.FileInputStream;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
import java.util.Properties;
import java.util.Scanner;

/**
 * @Author young
 * @Date 2021-12-03 7:54
 * @Description:演示statement的注入问题
 * admin_name = 1' or
 * admin_pwd = or '1'='1
 */
public class Statement_demo {
    public static void main(String[] args) throws Exception {
        Scanner scanner = new Scanner(System.in);

        System.out.println("请输入管理员名称：");
        String admin_name = scanner.nextLine();
        System.out.println("请输入管理员密码：");
        String admin_pwd = scanner.nextLine();

        Properties properties = new Properties();
        properties.load(new FileInputStream("src\\mysql.properties"));
        String url = properties.getProperty("url");
        String user = properties.getProperty("user");
        String password = properties.getProperty("password");
        String driver = properties.getProperty("driver");

        Class.forName(driver);
        Connection connection = DriverManager.getConnection(url, user, password);

        String sql = "select name,pwd from admin where name='"+admin_name+"'and pwd='"+admin_pwd+"'";
        Statement statement = connection.createStatement();
        ResultSet resultSet = statement.executeQuery(sql);

        if (resultSet.next()){
            System.out.println("恭喜，登陆成功");
        }else {
            System.out.println("对不起，登陆失败");
        }

        resultSet.close();
        statement.close();
        connection.close();
    }
}
